'[Bug 6797] New: lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-devel
Subject:    [Bug 6797] New: lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits
From:       bugzilla-daemon () bugzilla ! spamassassin ! org
Date:       2012-05-18 15:44:12
Message-ID: bug-6797-26 () https ! issues ! apache ! org/SpamAssassin/
[Download RAW message or body]


--1337355854.dd135aC80.70318
Date: Fri, 18 May 2012 15:44:14 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6797

          Priority: P2
            Bug ID: 6797
          Assignee: dev@spamassassin.apache.org
           Summary: lower score for combined RCVD_IN_SORBS_HTTP and
                    RCVD_IN_SORBS_SOCKS hits
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: uhlar@fantomas.sk
          Hardware: PC
            Status: NEW
           Version: unspecified
         Component: Rules
           Product: Spamassassin

rules RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS seem to hit in together too
often, at least here:

% grep -Fh ']: spamd: result: ' /var/log/today/courier | grep -e
RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ &&
/RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
12 12

% grep -Fh ']: spamd: result: ' /var/log/yesterday/courier | grep -e
RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ &&
/RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
3 3

They both have similar scores about 2.5 in network&!bayes set.
I propose small score fix, so they together don't puth too hard:

meta SORBS_SOCKS_HTTP (RCVD_IN_SORBS_HTTP && RCVD_IN_SORBS_SOCKS)
describe SORBS_SOCKS_HTTP fix for HTTP&SOCKS proxies in SORBS (usually come
together)
score SORBS_SOCKS_HTTP 0 -2 0 0

Note they are both used in deep scanning, so this indicated that proxies are
often open for both HTTP and SOCKS, but mail from such hosts may be valid and
relayed through spam filtering MTAs.

-- 
You are receiving this mail because:
You are the assignee for the bug.

--1337355854.dd135aC80.70318
Date: Fri, 18 May 2012 15:44:14 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"

<html>
    <head>
      <base href="https://issues.apache.org/SpamAssassin/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits"
   href="https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6797">6797</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>dev&#64;spamassassin.apache.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>lower score for combined RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS hits
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>uhlar&#64;fantomas.sk
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>Rules
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>Spamassassin
          </td>
        </tr></table>
      <p>
        <div>
        <pre>rules RCVD_IN_SORBS_HTTP and RCVD_IN_SORBS_SOCKS seem to hit in together too
often, at least here:

% grep -Fh ']: spamd: result: ' /var/log/today/courier | grep -e
RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ &amp;&amp;
/RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
12 12

% grep -Fh ']: spamd: result: ' /var/log/yesterday/courier | grep -e
RCVD_IN_SORBS_HTTP -e RCVD_IN_SORBS_SOCKS | awk ' /RCVD_IN_SORBS_HTTP/ &amp;&amp;
/RCVD_IN_SORBS_SOCKS/ { both++} END {print NR, both;}'
3 3

They both have similar scores about 2.5 in network&amp;!bayes set.
I propose small score fix, so they together don't puth too hard:

meta SORBS_SOCKS_HTTP (RCVD_IN_SORBS_HTTP &amp;&amp; RCVD_IN_SORBS_SOCKS)
describe SORBS_SOCKS_HTTP fix for HTTP&amp;SOCKS proxies in SORBS (usually come
together)
score SORBS_SOCKS_HTTP 0 -2 0 0

Note they are both used in deep scanning, so this indicated that proxies are
often open for both HTTP and SOCKS, but mail from such hosts may be valid and
relayed through spam filtering MTAs.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>

--1337355854.dd135aC80.70318--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic